International Journal of Advanced Research in …

1 ISSN: 2278 1323 International Journal of Advanced Research in Computer Engineering & Technology Volume 1, Issue 2, April 2012 All Rights Reserved 2012 IJARCET 34 Vulnerabilities of Wireless Security protocols (WEP and WPA2) Vishal Kumkar, Akhil Tiwari, Pawan Tiwari, Ashish Gupta, Seema Shrawne Abstract - Wirelesses Local Area Networks (WLANs) have become more prevalent and are widely deployed and used in many popular places like university campuses, airports, residences, cafes etc. With this growing popularity, the security of wireless network is also very important.

2 In this study we present the security mechanisms available for WLANs. These security mechanisms are Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA) and (WPA2).Our aim is to show how an attack can be made on systems using the above mentioned mechanisms. We have given a brief overview of their working, structure, algorithms used and have tried to explore the real time vulnerabilities by issuing successful attacks against WEP and WPA2 network. The attacks were done in an ad-hoc network, using three laptops with wi-fi facility. We begin with WEP protocol which employs a flawed RC4 algorithm is very much prone to attack and is easily crackable, then listing some of its weakness.

3 We then have a look on WPA as the enhanced standard of WEP, along with some flaws in it. Finally an attack on WPA2 is explained. Aircrack-ng is the tool (software) that we have used to launch the attacks. The commands required for attacking are explained, along with the screen-shots to help understand the working. Index Terms- WEP, , WPA, WPA2 I. INTRODUCTION Wireless local area networks (WLANs) are of great importance in network technologies. WLANs, Bluetooth and cellular networks gained popularity in computer and business industry with many consequent security issues. Especially WLAN systems like IEEE networks became common access networks in private and public environments.

4 They have lots of benefits like mobility and flexibility. Unlike a traditional wired LAN, users have much more freedom for accessing the network. Such benefits also come with several security considerations. Security risks in wireless environments include risks of wired networks plus the new risks as a result of mobility. To reduce these risks and protect the users from eavesdropping, organizations have been adopted several security mechanisms. The traditional WLAN security mechanism is WEP. WEP is an encryption algorithm designed in 1999 along with lb standard to provide wireless security. It employs RC4 (Rivest Cipher 4) algorithm from RSA Data Security.

5 However, several serious weaknesses were identified by cryptanalysts and WEP was superseded by Wi-Fi Protected Access (WPA) in 2003, and then by the full IEEE standard (also known as WPA2) in 2004. Despite the serious security flaws WEP still provides a minimal level security. In this paper we investigated different security mechanisms available for WLANs and their real time vulnerabilities and ways of cracking them. II. IEEE STANDARDS IEEE [1] is a set of Wireless LAN standards developed by working group 11 of the IEEE 802 committee. The first standard released in October 1997 and revised in March 1999 as The standard developed in 1999 for wireless asynchronous transfer mode (ATM) networks.

6 Standard was ratified in 2003. Successful businesses benefit from these standards both by actively participating in the standardization process and by using standards as strategic market instruments. When it comes to security, a number of committees have made an effort including the IEEE's Task Group i (TGi), the Internet Engineering Task Force and the National Institute of Standards (NIST). However, the group that plays the most powerful role in development of WLAN security standards is the TGi. A. Architecture network architecture consists of cells that are overlapped with each other.

7 Basic Service Set (BSS) defines the coverage area of a cell. A station that is not in a specific BSS cannot communicate with the other stations in this BSS. There are two modes of networks Infrastructure Mode and Ad Hoc Mode. In infrastructure mode, WLANs consist of wireless stations and access points. Access points that are providing communication with the wired network and managing network traffic, are connected with a distribution system (such as Ethernet) ISSN: 2278 1323 International Journal of Advanced Research in Computer Engineering & Technology Volume 1, Issue 2, April 2012 All Rights Reserved 2012 IJARCET 35 III.

8 WIRELESS LAN SECURITY The security mechanisms for secure communications on wireless networks have been developed in the following chronological order [2]: * Wired Equivalent Privacy (WEP) * Wi-Fi Protected Access (WPA) * (WPA2) A. Wired Equivalent Privacy WEP [2] is an encryption algorithm developed by an IEEE volunteer group. The aim of WEP algorithm is to provide a secure communication over radio signals between two end users of a WLAN. WEP employs RC4 algorithm for encryption and uses two key sizes: 40 bit and 104 bit; to each is added a 24-bit initialization vector (IV) which is transmitted directly. At the transmitter side the plaintext is XOR'ed with the key stream, generated after KSA and PRGA process of RC4 and cipher text is obtained.

9 These steps take place in the reverse order at the receiver side using the same key. WEP uses CRC-32 algorithm for data integrity. Fig 1. WEP Encryption Fig 2. WEP Decryption Attacking a WEP network Some flaws in WEP make it crackable. The IV is sent as plaintext with the encrypted packet. Therefore, anyone can easily sniff this information out of the airwave and thus learn the first three characters or the secret key. Both the KSA and PRGA leak information during the first few iterations of their algorithm. XOR is a simple process that can be easily used to deduce any unknown value if the other two values are known.

10 The format is (B + 3, 255, x) where B is the byte of the secret key being cracked. In order to sufficiently crack a real-life WEP key of a wireless AP, we need to gather lots of initialization vectors (IVs). Normal network traffic does not typically generate these IVs very quickly. Theoretically, if you are patient, you can gather sufficient IVs to crack the WEP key by simply listening to the network traffic and saving them. However, in this work, we use a technique called injection to speed up the process. Injection involves having the AP resend selected packets over and over again very rapidly. This allows us to capture a large number of IVs in a short period of time.